the way we talk about information security. We talk about arms races, attacking,
defending, and of course, reconnaissance. What we are doing here is trying to gather
information to make our lives as testers (attackers or adversaries) easier. Although
you can go blindly at your testing and just throw as much at the wall as you can think
of, generally speaking, testing is not an unlimited activity. We have to be careful and
conscious with our time. It’s best to spend a little time up front to see what we are
facing rather than spending a lot of time later shooting into the dark.
When you start gathering information about your target, it’s usually best to not make
a lot of noise. You want to start making your inquiries at a distance without engaging
your target directly. Obviously, this will vary from engagement to engagement. If you
work at a company, you may not need to be quiet, because everyone knows what you
are doing. However, you may need to use the same tactics we’ll talk about to deter‐
mine the sort of footprint your company is leaving. You may find that your company
is leaking a lot of information to public outlets that it doesn’t mean to leak. You can
use the open source intelligence tools and tactics to help protect your company
against attack.
OPSEC
One important concept worth going into here is that of OPSEC, or operations secu‐
rity. You may have heard the expression “Loose lips sink ships” that originated in
World War II. This phrase is a brief encapsulation of what operations security means.
Critical information related to a mission must remain secret. Any information leak‐
age can compromise an operation. When it comes to military missions, that secrecy
even extends to families of members of the military. If a family member were to let it
be known that their loved one were deployed to a particular geographic location and
maybe that loved one has a specific skillset, people might figure out what is happen‐
ing. Two plus two, and all that. When too much information is publicly available
about your company, adversaries (whatever their nature is) may be able to infer a lot
about the company. Employing essential components of OPSEC can be important to
keeping attackers away as well as protecting against information leakage to competi‐
tors.
It may also be helpful to understand the type of attackers your company is most con‐
cerned about. You may be concerned about the loss of intellectual property to a com‐
petitor. You may also be concerned with the much broader range of attacks from
organized crime and nation-states looking for targets of opportunity. These distinc‐
tions can help you determine the pieces of information you are most concerned with
keeping inside the company and what you are comfortable with letting out.
If we were thinking just of network attacks, we might be satisfied here with port scan‐
ning and service scanning. However, a complete security test may cover more than
